Password Complexity Standard

Download the PDF version of the Remote Access User Standard.  PDF file

Standard Information

Responsible Offices

IT Security Office (ITSO)

Additional Information
Document Control Number


Last Reviewed Date


Applies To

This standard applies to every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus (i.e., user) that authenticates to university-owned computing systems or devices.

Note to All Users

Helper-text in white table cells bound by “< >” are designed to help the user with content. Once the user starts typing, the helper texts will automatically be written over and removed. Texts in table cells shaded gray are fixed and shouldn’t be edited.


The purpose of this standard is to define the user password requirements or electronic access to George Mason
University’s workstations and systems. This standard is designed to minimize the potential exposure to George
Mason University from damages that may result from unauthorized use of George Mason University resources.
Damages include the loss of highly sensitive or university confidential data, intellectual property, damage to
public image, and damage to critical George Mason University internal systems


Highly sensitive data is data that, if exposed, could lead to identify theft or exposure of personal health information, financial theft, or otherwise have significant adverse impact on the university.

Password Complexity Standard

Your password:

  • Cannot be your first, middle, or last name
  • Cannot be your username/netID
  • Cannot be reused
  • Must not use dictionary words
  • Must not be easily guessed
  • Must not include repeated characters, such as AAA or 555
  • Must not include alphabetic sequences, such as abc or CBA
  • Must not include numeric sequences, such as 123 or 321
  • Must not use common keyboard sequences, such as QWERTY or password
  • Must be at least 10 and no more than 30 characters long

Only the characters specified below may be used and the password must include 3 out of 4 of the following
character classifications.

  • Lower case: abcdefghijklmnopqrstuvwxyz
  • Numbers: 1234567890
  • Special characters: _

The password selected will be tested against a pro-active password checker library, which tests passwords for
effectiveness (e.g., cracklib).

Change your password as requested. An email reminder will be sent to the account owner about 30 days before
the password expires. For increased security, change your password frequently.

For PCI Compliance

If you authenticate directly to systems, devices, or workstations that are in scope for Payment Card Industry
Data Security Standard compliance you must also:

  • Change your password at least every 90 Days
  • Include both letters and numbers in the password/passphrase



Timetable for Review

This standard will be reviewed each year.

Revision History

VersionDateOrganization/AuthorDescription of Changes
1.02/26/2016IT Security OfficeInitial Release
1.112/11/2019IT Security OfficeAnnual Review; Minor Revisions (reformatting)
1.22/23/2021IT Security OfficeAnnual Review; Minor Revisions (reformatting)
1.33/16/2023IT Security OfficeAnnual Review; Minor Revisions (reformatting)